Unique Wildcards AOB Guide [Not For Beginners]

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
cfemen
RCE Fanatics
RCE Fanatics
Posts: 544
Joined: Fri Feb 15, 2019 5:45 pm
Reputation: 422

Unique Wildcards AOB Guide [Not For Beginners]

Post by cfemen » Wed Jan 22, 2020 12:42 am

Heyo,

what you should know if you want to follow this guide?
-Basic ASM understanding
-Experience with Wildcards

while updating my Firestone table i was really annoyed about the fact that every new update does "destroy" my table coz its not possible to find AOBs without E8(Call) or similar instructions with addresses.

i guess i dont need to explain why its handy to use wildcards.
the problem i've faced:
Firestone uses a Code Obfuscator that generates many fake copies of functions/methods...so its impossible to find Unqiue AOBs with wildcards.

then i remembered about cheat engines function for regions and i started to code a little method for regions-scanning

How To Do:

(1) Find A Spot
Go into your function/method where you cant find unique AOBs
use a breakpoint on C3/Ret : now search this function for unique AOBs near the desired call. if you dont find any -> Breakpoint on return and repeat until you got some (Obfuscators mostly ignoring Update/Tick functions ;) )

(2) Create Script
Now you should have Unique AOBs near a call.
Create AA script and do a normal aobscan for this AOBs

Code: Select all

aobscanmodule(AobSearch,GameAssembly.dll,48 8D 54 24 20 0F 29 44 24 60 F2 0F 11 54 24 70 E8) // sample 
Allocate 2x8 Byte (CallAddress and a Buffer)
Create Thread:
Now we need to get the offset:
move the aobscanmodule-symbol to a register, and add the offset for the desired spot(the call)

Code: Select all

mov rax,AobSearch
add rax,10 // E8
move the allocated Symbol for the CallAddress to a register

Code: Select all

mov rbx,CallAddress 
now we can start to copy the offset
mind the endians ( coz this i use a buffer) :!:

Code: Select all

mov cl,[rax+1]
mov byte ptr[Buffer],cl
mov cl,[rax+2]
mov byte ptr[Buffer+1],cl
mov cl,[rax+3]
mov byte ptr[Buffer+2],cl
mov cl,[rax+4]
mov byte ptr[Buffer+3],cl
now the buffer contains our desired call offset and if we move it into a register it will be in the correct byte order

but that will only work for a positive call
if the game uses a negative offset (example : 11F1D9FF) then its useless
you can detect negativ offsets for a call if you see FF at the end.

how to fix?

fill the allocated buffer with:

Code: Select all

dd 0
db FF FF FF FF
now a check for negativ value and copy the buffer into a register :

Code: Select all

cmp byte ptr[buffer+3],FF
mov ecx,dword ptr [buffer]
jne @f
mov rcx,qword ptr [buffer]
@@:
rcx will contain a correct value if the offset is negativ.

add it to the register which contains the address of the aobscan and write it to the CallAddress symbol(RBX in my example)

Code: Select all

add rax,rcx
mov [rbx],rax
(3) Use The Symbol As Region

use [CallAddress] as Memory Scan Start address and do a Array of byte scan with Cheat Engine for Unique Wildcards AOBs in the desired function(its really easy now)

if you have unique the AOBS : use aobscanregion for the actual script that contains the cheat :D

Code: Select all

aobscanregion(Gems,[CallAddress],7fffffffffffffff,0F 29 44 24 20 0F 10 46 20 0F 29 4C 24 30 0F 29 44 24 40 E8 ** **) 
and well, thats it :)

now you have a "Map" that generates a Symbol to the desired functions that will work regardless of game updates (ok if the devs changes too much then it can break the AOBs of course^^)

Note : you may have to do 2 "Maps" if you dont find a spot at the first return function.

Complete Script Sample:

Code: Select all

aobscanmodule(AobSearch,GameAssembly.dll,48 8D 54 24 20 0F 29 44 24 60 F2 0F 11 54 24 70 E8)
registersymbol(AobSearch)

alloc(Region,8,AobSearch)
registersymbol(Region)

alloc(asmgold,$1000)
registersymbol(asmgold)
createthread(asmgold)

alloc(buffer,4)
registersymbol(buffer)

buffer:
dd 0
db FF FF FF FF

asmgold:
mov rax,AobSearch
add rax,10
mov rbx,Region
mov cl,[rax+1]
mov byte ptr[buffer],cl
mov cl,[rax+2]
mov byte ptr[buffer+1],cl
mov cl,[rax+3]
mov byte ptr[buffer+2],cl
mov cl,[rax+4]
mov byte ptr[buffer+3],cl
cmp byte ptr[buffer+3],FF
mov ecx,dword ptr [buffer]
jne @f
mov rcx,qword ptr [buffer]
@@:
add rax,rcx
mov [rbx],rax
ret
you like my tables and want to support me? my patreon :)

Post Reply

Who is online

Users browsing this forum: No registered users